Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck.
The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution.
“MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code,” the NIST National Vulnerability Database (NVD) states.
“Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.”
Per security researcher Egidio Romano, who discovered the vulnerability, the problem is rooted in the “/app/system/weixin/include/class/weixinreply.class.php” script, and stems from a lack of adequate sanitization of user-supplied input when issuing Weixin (aka WeChat) API requests.
As a result, remote, unauthenticated attackers could exploit this loophole to inject and execute arbitrary PHP code. One key prerequisite for successful exploitation when MetInfo is running on non-Windows servers is that the “/cache/weixin/” directory has to exist beforehand.The directory is created when installing and configuring the official WeChat plugin.
Patches for CVE-2026-29014 were released by MetInfo on April 7, 2026. The vulnerability has since come under exploitation as of April 25, with a “small number of exploits” deployed against susceptible honeypots located in the U.S. and Singapore.
Although these efforts were initially sparse and associated with automated probing, the activity witnessed a surge on May 1, 2026, focusing on China and Hong Kong IP addresses, Caitlin Condon, vice president of security research at VulnCheck, said. As many as 2,000 instances of MetInfo CMS are accessible online, most of which are in China.
